You can also use any other middleware that defines req.session, but keep in mind that it should be signed. It should also be encrypted if the site is not served over https, or replay attacks are possible.

(optional) Use the user information

After passing through the SSO middleware, the requests will have the user property defined:

req.user = {email: "user@yourcompany.com", ...}

The value is cached in the session cookie for 5 minutes between requests to Google.

(optional) Logout

Since the middleware does not explicitly prompt the user to log in but does it automatically, it makes little sense to log the user out by just destroying the local the session: the user will just be logged right back in.

To clear the session as well as log the user out of Google Apps, call res.logout().